This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 15%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJB%3C/text%3E%3C/svg%3E)
Hi,
Just like to understand about the email header particularly the From and Reply-To section.
First Question:
I received an email coming from this [sample email address and names]
From: Joe Satriani <******@gotowebinar.com>
Reply-To: ******@serviceit.com
Does this mean that gotowebinar.com mail servers is sending in behalf of serviceit.com domain? And when I reply to that email Joe Satriani <****@gotowebinar.com>** it will be forwarded to ******@serviceit.com ?
Second Question:
I received an email that goes like this:
From: 'Ahmed G' via SPECIAL GROUP <******@mydomain.com>
Reply-To: ******@ahmeddomain.com
How was it that the From field is using my specialgroup distro list? I did not allow Ahmed and other external domains from using our mail servers as sender on behalf of our domain. It's not just that but other external domains as well we see in the reply-to field but using our distro in the From field.
Can anybody shed light?
Thanks!
Adding right tags/teams to assist further.
Please check whether you specified any other account in the From field(in case if you tried onbehalf of scenarios)?
No, have not done that. No accounts where added in the form field. I'm particular with the second question though.
I found out now why it is so. This applies if DMARC policy has p=reject or p=quarantine. The receiver's delivery system will allow the use of via so not to trigger the DMARC policy of the sender thus delivering the mail successfully.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
Thanks for your sharing!
@Janus Bariñan
Hi,
First Question:
To my knowledge,the Reply-to email address can be modified via many email clients when sending emails.
Let's take Outlook for example:
When you are going to use email address (******@Domain-A.com for example) to send a new email, you can configure the Reply-to address to be ******@Domain-B.com like in the following screenshot:
In this case, when the recipient replies to the email, only the ******@Domain-B.com will get the reply email, while the ******@Domain-A.com won't.
And in your case, if you reply to the email, only @serviceit.com will get your response.
Unless there are some forwarding rules or settings to forward the email to Joe Satriani <@gotowebinar.com> in their environment.
I think it is maybe because Joe Satriani <******@gotowebinar.com> set the Reply-to address himself when sending the email.
Or it may also be someone hacked the sender's account and changed the Reply-to address to send the spoofed emails which you need to pay attention to.
Second Question:
I think it should be Email spoofing.
Have you configured SPF,DKIM or DMARC records for your email domain?
If haven't yet, please take it into consideration for security.
Here is an article on this topic for your reference: Office 365: Using SPF, DKIM and DMARC for Secure Messaging
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for shedding light on my first question.
For the second question yes we have spf, dkim and dmarc. What I noticed is that all external domains who seems to reply using the distro mail seems to have this 'Name of Person who replied' via SPECIAL GROUP <****@mydomain.com>**
I suppose that it is because the name of this special group has been exposed to these senders.
As they know it is an active address, they use it to send spoof emails.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I dont think they are using it for spoofing but their emails are legit. Some are business related, their domains are from partners while other emails came from legit companies trying to sell something.
Sorry I made a mistake on this question.
The form "Name of Person who replied' via SPECIAL GROUP <@mydomain.com>" should mean the actual sender is SPECIAL GROUP <@mydomain.com>.
But the From address is changed to 'Name of Person who replied'.
So the problem may be someone in the special group sent the mails and changed the Form and Reply to addresses.